Haproxy custom acl whitelist IP restrict alias backend specific block reject others

  • I am looking for a way to allow access to certain backends only to certain IP addresses or networks, I am trying to find information that shows/tells how to do this.

    more info:
    I have 10+ backends configured, I have a shared https front end with SSL offloading. I have all the additional certificates added and the Add ACL for certificate subject alternative names checked.

    Websites Front end uses the shared https front end has a very simple Access Control List.

    name: mysite.com expression:Host Matches value: mysite.com

    then bellow in actions:

    Action: Use Backend ACL: mysite.com backend: mysite.com

    This setup has been great because it ties in nicely with pfsense ACME certificates, previously I did all of this on an nginx reverse proxy, this is much simpler.

    On the frontend access control list I am using "Host Matches" but I can see that I could change that to "Source IP matches IP or Alias"

    Unfortunately I am not sure how to combine the two.("Host Matches" AND "Source IP matches IP or Alias") I have searched google, reddit, and this forum. and there has not been any clear cut examples of how to accomplish this.

    My understanding so far is that I would goto the HAProxy main "Settings" tab, scroll to the bottom and add some custom code to the Global Advanced pass thru.

    The other problem I am faced with is that most of the IP filtering I have seen appears to use mode: TCP but my front end is using mode: HTTP, so it may not be compatible code....

    I REALLY REALLY appreciate any help if anyone can give some pointers, examples, or snippets.

  • UPDATE: figured this out thanks to the HAProxy forum.

    On your frontends define more than one ACL such as:

    host1          host matches:                      host1.example.com
    adminIPs       Source IP matches Ip or Alias:     111.222.333.444

    In the above we have two ACLs: host1 and adminIPs, for the adminIPs you can reference a pfsense alias instead of hard coding an IP if you need it to apply to more than one IP.

    now below for the Action:

    action: Use Backend
    acl names: adminIPs host1
    backend: host1.example.com

    by defining both ACLs it should only forward to the backend if both acls are true.

  • @xanaro I created an account just to thank you for this. This saved me a ton of time!

  • @tomschlick No problem! I was having trouble finding examples of this in any of the documentation myself, its not entirely obvious that you can simply specify more than one ACL in the Haproxy action table. So I myself was trying to figure this out and luckily somebody answered my question on HAProxy forums.

    I will add to this that if you reference a pfsense alias that you have to restart the haproxy service if you add any additional entries to the alias, at least this seems to be the behavior I was noticing.